Jun 16, 2014

I swear to the sweet baby Jesus that if it isn't one thing it's another in network security. First there was Heartbleed that caused all my company's banking clients to flip their shit. Everything was cool on my end because all of our Linux servers used GnuTLS or Windows IIS. Heartbleed only affected OpenSSL users.

Well ZDNet recently reported on a major flaw with GnuTLS! Crap! From ZDNet:

According to RedHat, which issued an advisory for the latest bug on Saturday, GnuTLS runs an insufficient check on the session ID length during the TLS/SSL handshake between a client and server.

"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code," the company wrote.

According to the article the only versions not affected are 3.1.25, 3.2.15 or 3.3.3. Checking the repositories for Ubuntu, the only version of Ubuntu that contains a GnuTLS version that is not susceptible to the bug is Utopic Unicorn (14.10) which hasn't been released yet. Crap! The version in the Utopic repositories is currently 3.2.15.

I went with the later on my personal mail server because it was easier. You may want to do number one because changing the the Utopic Repositories will update everything, not just GnuTLS. I like to live dangerously though, so this is what I did:

Change into your /etc/apt directory

cd /etc/apt

Create a backup of your sources.list file

cp sources.list sources.list.bak

Edit sources.list with your favorite text editor

nano sources.list

Replace your current version's name with utopic. I tested this on 12.04, so I replaced precise with utopic

What you need to do is remove the /etc/dpkg/dpkg.cfg.d/multiarch file, then you can run sudo apt-get -f install to fixanything you're missing.

After doing this I ran gnutls-cli -v and received the following output:

gnutls-cli 3.2.15Copyright (C) 2000-2014 Free Software Foundation, and others, all rights reserved.This is free software. It is licensed for use, modification andredistribution under the terms of the GNU General Public License,version 3 or later <http://gnu.org/licenses/gpl.html>

Boom! GnuTLS 3.2.15! Hack me now!

In all honesty, and for stability purposes the method in this article probably isn't the recommended way. You should probably just install from source...